;;; sasl-xoauth2.el --- OAuth 2.0 module for the SASL client framework  -*- lexical-binding: t -*-

;; Copyright (C) 2018 Kazuhiro Ito

;; Author: Kazuhiro Ito <kzhr@d1.dion.ne.jp>
;; Keywords: SASL, OAuth 2.0
;; Created: January 2018

;; This program is free software; you can redistribute it and/or modify
;; it under the terms of the GNU General Public License as published by
;; the Free Software Foundation; either version 3, or (at your option)
;; any later version.
;;
;; This program is distributed in the hope that it will be useful,
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;; GNU General Public License for more details.
;;
;; You should have received a copy of the GNU General Public License
;; along with this program; see the file COPYING.  If not, write to the
;; Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
;; Boston, MA 02110-1301, USA.

;;; Commentary:

;; This is a SASL interface layer for OAuth 2.0 authorization message.

;;; Requirements:
;;
;; * oauth2.el
;; https://elpa.gnu.org/packages/oauth2.html

;;; Usage
;;
;; 1. Set up sasl-xoauth2-host-url-table and
;; sasl-xoauth2-host-user-id-table variables.
;;
;; 2. When passphrase is asked, input client secret.

;;; Code:

(require 'sasl)
(require 'oauth2)

(defconst sasl-xoauth2-steps
  '(sasl-xoauth2-response))

(defgroup sasl-xoauth2 nil
  "SASL interface layer for OAuth 2.0 authorization message."
  :group 'mail)

(defcustom sasl-xoauth2-token-directory
  (expand-file-name "sasl-xoauth2" user-emacs-directory)
  "Directory name to store OAuth 2.0 tokens.
It has no effect when `sasl-xoauth2-share-token-file' is non-nil."
  :type 'directory
  :group 'sasl-xoauth2)

(defcustom sasl-xoauth2-refresh-token-threshold 60
  "Refresh token if expiration limit is left less than specified seconds.
It has no effect when `sasl-xoauth2-handle-token-expiration' is nil."
  :type 'number
  :group 'sasl-xoauth2)

(defcustom sasl-xoauth2-host-url-table
  '(;; Gmail
    ("\\.gmail\\.com$"
     "https://accounts.google.com/o/oauth2/v2/auth"
     "https://www.googleapis.com/oauth2/v4/token"
     "https://mail.google.com/"
     ;; redirect URI is required
     "http://localhost/result")
    ;; Outlook.com
    ("\\.outlook\\.com$"
     "https://login.live.com/oauth20_authorize.srf"
     "https://login.live.com/oauth20_token.srf"
     "wl.offline_access wl.imap"
     ;; You need register redirect URL at Application Registration Portal
     ;; https://apps.dev.microsoft.com/
     "http://localhost/result")
    ;; office365
    ("\\.office365\\.com$"
     "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
     "https://login.microsoftonline.com/common/oauth2/v2.0/token"
     "https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/POP.AccessAsUser.All https://outlook.office365.com/SMTP.Send offline_access"
     nil)
    ;; yahoo.com
    ("\\.yahoo\\.com$"
     "https://api.login.yahoo.com/oauth2/request_auth"
     "https://api.login.yahoo.com/oauth2/get_token"
     "mail-w"
     nil)
    ;; aol.com
    ("\\.aol\\.com$"
     "https://api.login.aol.com/oauth2/request_auth"
     "https://api.login.aol.com/oauth2/get_token"
     "mail-w"
     nil))
  "List of OAuth 2.0 URLs.  Each element of list is regexp for host,
auth-url, token-url, scope and redirect-uri (optional)."
      :type '(repeat (list
		      (regexp :tag "Regexp for Host")
		      (string :tag "Auth-URL")
		      (string :tag "Token-URL")
		      (string :tag "Scope")
		      (choice string (const :tag "none" nil))))
      :group 'sasl-xoauth2)

(defcustom sasl-xoauth2-host-user-id-table
  nil
  "List of OAuth 2.0 Client IDs.  Each element of list is regexp for
host, regexp for User ID, client ID and client secret (optional).
"
  :type '(repeat (list
		  (regexp :tag "Regexp for Host")
		  (regexp :tag "Regexp for User ID")
		  (string :tag "Client ID")
		  (choice :tag "Client Secret"
			  string
			  (const :tag "none" nil))))
  :group 'sasl-xoauth2)

(defcustom sasl-xoauth2-share-token-file
  nil
  "When non-nil, store oauth2 tokens into default plstore specified by
`oauth2-token-file'.  Must be nil on oauth2.el 0.17 and earlier."
  :type 'boolean
  :group 'sasl-xoauth2)

(defvar sasl-xoauth2-handle-token-expiration
  (null (assq 'request-cache (cl-struct-slot-info 'oauth2-token)))
  "When non-nil, enable own token expiration handling.
oauth2.el 0.18 and later can handle by itself.")

;; This advice makes oauth2.el to keep the time of getting token.
(defadvice oauth2-make-access-request (after sasl-xoauth2 disable)
  (setq ad-return-value (cons `(auth_time . ,(current-time))
			      ad-return-value)))

(defun sasl-xoauth2-validate-response (response)
  (cond
   ((assq 'error response)
    (error "Could not get oauth2 response: %s" response))
   ((null (assq 'access_token response))
    (error "Could not get oauth2 access token: %s" response)))
  t)

;; Modified version of oauth2-refresh-access.  It keeps refreshed time
;; and updates expires_in parameter.
(defun sasl-xoauth2-refresh-access (token)
  "Refresh OAuth access TOKEN.
TOKEN should be obtained with `oauth2-request-access'."
  ;; url package would fail on Windows without EOL conversion.
  (let* ((inhibit-eol-conversion nil)
	 (coding-system-for-read nil)
	 (response
	  (oauth2-make-access-request
           (oauth2-token-token-url token)
           (concat "client_id=" (oauth2-token-client-id token)
                   "&client_secret=" (oauth2-token-client-secret token)
                   "&refresh_token=" (oauth2-token-refresh-token token)
                   "&grant_type=refresh_token"))))
    (sasl-xoauth2-validate-response response)
    (setf (oauth2-token-access-token token)
          (cdr (assq 'access_token response)))
    ;; Update authorization time.
    (setcdr (assq 'auth_time (oauth2-token-access-response token))
	    (current-time))
    ;; Update expires_in parameter.
    (cond
     ((and (assq 'expires_in (oauth2-token-access-response token))
	   (assq 'expires_in response))
      (setcdr (assq 'expires_in (oauth2-token-access-response token))
	      (cdr (assq 'expires_in response))))
     ((assq 'expires_in (oauth2-token-access-response token))
      (let ((list (memq (assq 'expires_in (oauth2-token-access-response token))
			(oauth2-token-access-response token))))
	(setcdr list (cdr list))))
     ((assq 'expires_in response)
      (setf (oauth2-token-access-response token)
	    (cons (assq 'expires_in response)
		  (oauth2-token-access-response token))))))
  ;; If the token has a plstore, update it
  (let ((plstore (oauth2-token-plstore token)))
    (when plstore
      (plstore-put plstore (oauth2-token-plstore-id token)
                   nil `(:access-token
                         ,(oauth2-token-access-token token)
                         :refresh-token
                         ,(oauth2-token-refresh-token token)
                         :access-response
                         ,(oauth2-token-access-response token)))
      (plstore-save plstore)))
  token)

(defun sasl-xoauth2-resolve-urls (host user)
  (let (auth-url token-url client-id scope redirect-uri client-secret)
    (let ((table sasl-xoauth2-host-url-table))
      (while table
	(when (string-match (caar table) host)
	  (setq auth-url  (nth 1 (car table))
		token-url (nth 2 (car table))
		scope     (nth 3 (car table))
		redirect-uri (nth 4 (car table))
		table nil))
	(setq table (cdr table))))
    (let ((table sasl-xoauth2-host-user-id-table))
      (while table
	(when (and (string-match (caar table) host)
		   (string-match (nth 1 (car table)) user))
	  (setq client-id (nth 2 (car table))
		client-secret (nth 3 (car table))
		table nil))
	(setq table (cdr table))))
    (list auth-url token-url scope client-id client-secret redirect-uri)))

(defun sasl-xoauth2-token-expired-p (token)
  (let ((access-response (oauth2-token-access-response token)))
    (or (null (assq 'expires_in access-response))
	(time-less-p
	 (time-add (cdr (assq 'auth_time access-response))
		   (cdr (assq 'expires_in access-response)))
	 (time-add (current-time)
		   (- sasl-xoauth2-refresh-token-threshold))))))

(defun sasl-xoauth2-response (client _step &optional _retry)
  (let ((host (sasl-client-server client))
	(user (sasl-client-name client))
	;; url package would fail on Windows without EOL conversion.
	(inhibit-eol-conversion nil)
	(coding-system-for-read nil)
	info access-token oauth2-token
	auth-url token-url client-id scope redirect-uri client-secret)
    (setq info (sasl-xoauth2-resolve-urls host user)
	  auth-url
	  (or (car info)
	      (read-string (format "Input OAuth 2.0 AUTH-URL for %s: " host)))
	  token-url
	  (or (nth 1 info)
	      (read-string (format "Input OAuth 2.0 TOKEN-URL for %s: " host)))
	  scope
	  (or (nth 2 info)
	      (read-string (format "Input OAuth 2.0 SCOPE for %s: " host)))
	  client-id
	  (or (nth 3 info)
	      (read-string
	       (format "Input OAuth 2.0 CLIENT-ID for %s@%s: " user host)
	       user nil user))
	  client-secret
	  (or (nth 4 info)
	      (sasl-read-passphrase
	       (format "Input Oauth 2.0 CLIENT-SECRET for %s@%s: " user host)))
	  redirect-uri
	  (or (nth 5 info)
	      ;; Do not ask when sasl-xoauth2-host-url-table is
	      ;; matched.
	      (unless (car info)
		(read-string
		 (format "Input OAuth 2.0 Redirect-URI for %s: " host)))))
    (let ((oauth2-token-file
	   (if sasl-xoauth2-share-token-file
	       oauth2-token-file
	     (expand-file-name (concat
				(md5 (concat
				      client-id
				      client-secret
				      user))
				".plstore")
			       sasl-xoauth2-token-directory))))
      (setq oauth2-token
	    (if (null sasl-xoauth2-handle-token-expiration)
		(oauth2-auth-and-store
		 auth-url token-url scope client-id client-secret
		 redirect-uri nil user host)
	      (ad-enable-advice
	       'oauth2-make-access-request 'after 'sasl-xoauth2)
	      (ad-activate 'oauth2-make-access-request)
	      (prog1
		  (oauth2-auth-and-store
		   auth-url token-url scope client-id client-secret
		   redirect-uri nil user host)
		(ad-disable-advice 'oauth2-make-access-request
				   'after 'sasl-xoauth2)
		(ad-activate 'oauth2-make-access-request))))
      (sasl-xoauth2-validate-response
       (oauth2-token-access-response oauth2-token))
      (cond
       ((null sasl-xoauth2-handle-token-expiration)
	(setq oauth2-token (oauth2-refresh-access oauth2-token host)))
       ((sasl-xoauth2-token-expired-p oauth2-token)
	(setq oauth2-token (sasl-xoauth2-refresh-access oauth2-token))))
      (setq access-token (oauth2-token-access-token oauth2-token))
      (format "user=%s\001auth=Bearer %s\001\001"
	      (sasl-client-name client)
	      access-token))))

(put 'sasl-xoauth2 'sasl-mechanism
     (sasl-make-mechanism "XOAUTH2" sasl-xoauth2-steps))

(provide 'sasl-xoauth2)

;;; sasl-xoauth2.el ends here
